Skip to content

Dev to qa #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fpittelo merged 5 commits into from
Nov 29, 2025
Merged

Dev to qa #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b1b3f0a
#94 correction
fpittelo Nov 29, 2025
3ae7131
#95 set up
fpittelo Nov 29, 2025
ca94b53
#94 second fix
fpittelo Nov 29, 2025
0787806
#94 third fix
fpittelo Nov 29, 2025
15c0455
#94 fourth update
fpittelo Nov 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/deploy-infra.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ jobs:
echo "TF_VAR_google_client_id=${{ secrets.GOOGLE_CLIENT_ID }}" >> $GITHUB_ENV
echo "TF_VAR_google_client_secret=${{ secrets.GOOGLE_CLIENT_SECRET }}" >> $GITHUB_ENV




- name: Set Up Terraform
uses: hashicorp/setup-terraform@v2

Expand Down
32 changes: 31 additions & 1 deletion infra/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ resource "azurerm_resource_group" "rg" {
}

#### Create the Azure Key Vault #####

# Retrieve the runner's public IP
data "http" "ip" {
url = "https://api.ipify.org"
}
Comment on lines +19 to +21
Copy link

@gemini-code-assist gemini-code-assist bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Relying on a single external service like api.ipify.org to fetch the runner's IP address introduces a single point of failure. If this service is unavailable, your deployment pipeline will fail. Consider using a more robust solution, such as querying multiple services and using the first successful response, or using a service with higher availability guarantees if possible.


module "key_vault" {
source = "../modules/key_vault"

Expand All @@ -28,6 +34,15 @@ module "key_vault" {
depends_on = [azurerm_resource_group.rg]

tags = local.environment_vars.tags

key_vault_ip_rules = [data.http.ip.response_body]
}

# Wait for firewall rule propagation
resource "time_sleep" "wait_for_firewall" {
create_duration = "60s"

depends_on = [module.key_vault]
}
Comment on lines +42 to 46
Copy link

@gemini-code-assist gemini-code-assist bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Using time_sleep to handle propagation delays for Azure firewall rules is a common but brittle approach. The 60s duration is a magic number and may not be sufficient in all cases, leading to intermittent failures. Conversely, it might be unnecessarily long, slowing down your pipeline. While there isn't a perfect alternative in Terraform for this specific scenario, be aware of this potential flakiness. If you experience failures, you may need to increase this duration.


# Get the current service principal/client object ID
Expand All @@ -42,6 +57,20 @@ resource "azurerm_role_assignment" "key_vault_secrets_officer" {
depends_on = [module.key_vault]
}

# Look up the user to grant access to
data "azuread_user" "admin_user" {
user_principal_name = "frederic.pitteloud@fpittelo.ch"
}
Comment on lines +61 to +63
Copy link

@gemini-code-assist gemini-code-assist bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The user principal name (UPN) is hardcoded. This is not a good practice as it makes the code less reusable and harder to maintain. If another user needs access, or if you deploy this to another environment, you'll need to change the code. This should be a variable.

You should add a new variable in variables.tf, for example:

variable "admin_user_principal_name" {
  description = "The User Principal Name of the admin user to grant Key Vault access."
  type        = string
}

Then, use that variable here.

data "azuread_user" "admin_user" {
  user_principal_name = var.admin_user_principal_name
}


# Assign Key Vault Administrator role to the user
resource "azurerm_role_assignment" "key_vault_admin_user" {
scope = module.key_vault.key_vault_id
role_definition_name = "Key Vault Administrator"
principal_id = data.azuread_user.admin_user.object_id

depends_on = [module.key_vault]
}

resource "azurerm_key_vault_secret" "openai_key" {
name = "openai-api-key"
value = module.cognitive_account.openai_key
Expand All @@ -50,7 +79,8 @@ resource "azurerm_key_vault_secret" "openai_key" {
depends_on = [
module.key_vault,
module.cognitive_account,
azurerm_role_assignment.key_vault_secrets_officer
azurerm_role_assignment.key_vault_secrets_officer,
time_sleep.wait_for_firewall
]
}

Expand Down
8 changes: 8 additions & 0 deletions infra/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,14 @@ terraform {
source = "cyrilgdn/postgresql"
version = "1.17.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.4.0"
}
time = {
source = "hashicorp/time"
version = "~> 0.9.0"
}
}

backend "azurerm" {
Expand Down
2 changes: 2 additions & 0 deletions infra/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,3 +186,5 @@ variable "google_client_secret" {